Luis:
Heya. I think the page you're asking about is this one:
www.echogent.com/cgi-bin/fwlog.pl
I sent Mike the code to get that running on the LEAF site,
I suspect he's been way too busy though. Also, you may want to
visit SecurityFocus.com. Tina Bird has started a new email list
all about log analysis:
[EMAIL PROTECTED]
Regarding the packets your seeing....if you're seeing
3 attempts in a row, from the same IP source, then it's likely
CodeRed. That's its signature. If you're seeing different ports
probed from the same IP source, I'd suspect Nimda. Hard to
say without seeing the data payload, of course.
Though...if you're running Apache anywhere on your
LAN, it's much easier to tell. The error.log file would be
filled with:
[Thu Sep 20 23:28:15 2001] [error] [client 193.13.81.201] File does not
exist: /home/www/http_docroot/default.ida
The "default.ida" is a CodeRed certainty. I got tons of
those on my server.
cheers,
Scott
On Fri, 21 Sep 2001, Luis.F.Correia wrote:
>
> Last night, while browsing around I started to get entries
> like this on my logs.
>
> I'm using an ES2B modified version (PPP)
>
> Is this a CodeRed scan?
>
> Sorry that it is not properly formatted.
>
> Also I lost the link to that page on where we could put lines
> like this to get extra info. Could someone post it again? Thanks!
>
> ---------------------------------------------------------
>
>
> Sep 20 23:28:15 porteiro kernel: Packet log: input DENY ppp0 PROTO=6
> 193.13.81.201:1201 193.126.171.3:80 L=48 S=0x00 I=46155 F=0x4000 T=112 SYN
> (#37)
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
